How about you guys who are saying that b1Ackb0x3!1 is not strong drop it into a sign-up page somewhere to *any* site that checks password strength and see what it says?

Better idea, since I could maybe guess what your response will be — those sites don't take leetspeak into account — is there someone who actually cracks passwords for a living who would comment on it? Now, I know that if there is someone here who actually does do that for a living they are not likely to admit it, but I'm just interested in a "professional" view.

If you examine the 4.9-million-word "Ultimate Password List" at http://area51archives.com/index.php?title=Ultimate_Password_List (15MB .rar file that unpacks into 6 text files), here are the alphabetical entries around "b1", which is how b1Ackb0x3!1 starts. Why would a hacker zero in on that area if he had *no information at all* about the password?

I think a hacker would first use a password list like this. After failing with the password list he would resort to a brute force attack if he was *really* determined to get at that specific account using a computer-based approach and not social engineering or a rubber-hose attack. Plugging b1Ackb0x3!1 into Steve Gibson's Interactive Brute Force Password “Search Space” Calculator at https://www.grc.com/haystack.htm gives 1.83 billion centuries as the time required to exhaustively search that password's space in an online attacking scenario, 18.23 centuries in an offline fast attack scenario, and 1.83 years in a hypothetical "massive cracking array" scenario at a hypothetical one hundred trillion guesses per second.

If you are going to latch on to that "1.83 years" and say, "See, told you, it's not strong," well. . . .

How about you guys who are saying that b1Ackb0x3!1 is not strong drop it into a sign-up page somewhere to *any* site that checks password strength and see what it says?

Better idea, since I could maybe guess what your response will be — those sites don't take leetspeak into account — is there someone who actually cracks passwords for a living who would comment on it? Now, I know that if there is someone here who actually does do that for a living they are not likely to admit it, but I'm just interested in a "professional" view.

But I have another tip for you: You can use it as strength meter by chosing each character at random. This means each possible character must have the exact same probability and this should not depend on previous characters.